Privacy policy

1. Who we are (data controller)

This website (and related services) is operated by ELSOUL LABO B.V. (Amsterdam, the Netherlands) ("we", "us", "our").

Chamber of Commerce (KvK) number: 80297625
Privacy contact: [email protected]

We do not fall under the categories of organisations for which appointing a Data Protection Officer (DPO) is mandatory under Article 37 of the GDPR. We re-evaluate this assessment annually under Article 37(1).

2. Scope of this policy

This policy applies when you:

browse our public websites without logging in, and
use member-only features that require authentication (e.g., ERPC dashboards / account features).

3. Data we process

On public pages, we ourselves do not use analytics tools such as Google Analytics, advertising tags, or cookies for behavioural tracking.

However, to provide the website, infrastructure providers such as hosting/CDN providers may process technical access logs for security and incident response, such as:

IP address and user-agent (browser/OS, etc.)
timestamp, requested URL, referrer
response status and security-related metadata

We use Cloudflare as our hosting and CDN provider, but we do not use Cloudflare's behavioral-analytics products. Cloudflare's role is limited to infrastructure operation; behavioral tracking is not part of that scope.

3.2 Contact

If you contact us by email, we process the information you provide (such as your email address and message) to respond.

If you create an account or sign in (e.g., via Discord), we may process the following to provide the service:

account identifiers (e.g., email address, Discord user ID, username)
authentication/session information (e.g., tokens, API keys)
service configuration and usage necessary to provide the service (e.g., plan, subscription status, allowed IPs, rate-limit and abuse-prevention logs)
support history and communications

Usage analytics (customer support and service quality)

Purpose: To improve service quality and provide customer support, we may collect logs of page navigation, feature use, and interaction events made by you while logged in to member services, and analyze them internally.

Lawful basis: Article 6(1)(f) GDPR — legitimate interests pursued by us in providing reliable customer support and improving the service. We have performed a Legitimate Interests Assessment (LIA) balancing these interests against your rights and freedoms; the LIA is available on request.

What we collect:

Page transitions (dashboard navigation paths, normalized to remove resource identifiers — e.g. /user/baremetal/:id not /user/baremetal/<actual-id>)
Categories of feature use (resource management, settings changes, authentication, etc. — full list maintained alongside this clause)
Internal resource identifiers (e.g. baremetal/VPS/RPC instance IDs) when you perform an action on a specific resource, retained as internal pseudonyms for the same retention period as page-transition events
Operation timestamps
Device family + major version, browser family + major version, and locale
IP addresses, stored only as a salted hash (the salt is never rotated and is held as a tier-1 secret)

What we do NOT collect:

Request bodies
Search query strings
API keys or authentication tokens
Raw IP addresses

Recipients / processors: Cloudflare, Inc. (United States) acts as our data processor for storage and processing of these logs, under a Data Processing Agreement and EU Standard Contractual Clauses (SCCs). A Transfer Impact Assessment (TIA) is documented for this transfer. See Section 7 for further detail on international transfers.

No automated decision-making with legal or similarly significant effect: We may use AI-assisted analysis to summarise behaviour patterns for internal support staff, but no automated decision is made that has legal effect on you or similarly significantly affects you (Article 22 GDPR).

Retention: Logs collected for this purpose are deleted within 30 days as a rule (see Section 8).

Right to object: You may object to this processing at any time under Article 21 GDPR by contacting [email protected]. We will cease processing your data for this purpose unless we demonstrate compelling legitimate grounds that override your rights.

Right to deletion: Upon a deletion request under Article 17, we delete all events, sessions, and presence state associated with you. We retain a pseudonymized record (HMAC-SHA256 of your user identifier with a separate key) in our audit log for up to 12 months under Article 6(1)(f) for security and accountability purposes. This pseudonymized record remains personal data within the meaning of Article 4(1) GDPR.

Data Protection Impact Assessment (DPIA): A DPIA has been completed for this processing (Article 35 GDPR). It is available on request to [email protected].

Activation status: This usage analytics pipeline is currently active in our staging environment only. Production activation is gated on completion of the Phase 0 documentation (DPIA / LIA / ROPA) and a feature-flag flip, on a timeline independent of the publication date of this Privacy Policy. Publication of this Privacy Policy version constitutes our Article 13 GDPR information for the contemplated processing.

3.4 Payments (Stripe)

Payments for paid plans are processed by Stripe. We do not store payment card details.

Stripe processes payment-related personal data as an independent data controller. To the extent necessary for billing and contract management, we may receive information from Stripe such as customer IDs, subscription status, invoices/receipts, and payment metadata.

We process personal data only when we have a legal basis under applicable laws (including the GDPR), such as:

Contract: providing member services, account management, and support
Legitimate interests: operating and maintaining our websites/services, security, fraud/abuse prevention, troubleshooting
Legal obligation: accounting and tax compliance, and other legal requirements
Consent: optional communications (e.g., marketing), where applicable (you can withdraw consent at any time)

5. Cookies and similar technologies

Public pages: we ourselves do not use cookies for analytics/advertising.
Member features: we use strictly necessary cookies (e.g., sessions) to keep you signed in. Disabling them may break some functionality.
Third-party services: Stripe and Discord may use their own cookies/technologies (outside our control).

We do not sell personal data.

We may share personal data with service providers (e.g., hosting/infrastructure (Cloudflare, Inc.), email delivery, payments (Stripe), authentication (Discord)) to the extent necessary. We enter into data processing agreements (DPAs) with such providers in accordance with applicable laws.

7. International transfers

We are based in the European Economic Area (EEA), but our service providers (e.g., Stripe, Discord) and infrastructure locations may involve processing outside the EEA (e.g., the United States).

In such cases, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) and minimise the data transferred. We do not use service providers for the purpose of intentionally transferring or storing personal data in jurisdictions considered high risk.

For the new usage analytics processing described in Section 3.3, our processor is Cloudflare, Inc. (headquartered in the United States). Although Cloudflare provides EU-region edge infrastructure, US parent-company access under applicable US law (e.g. CLOUD Act) is treated as an international transfer.

Some processing involves transfer to the United States (Cloudflare). Such transfers are covered by the EU-US Data Privacy Framework adequacy decision (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023) and additionally protected by Standard Contractual Clauses. We rely on the European Commission's 2021/914 Standard Contractual Clauses, Module 2 (controller-to-processor), incorporated under the Cloudflare Data Processing Addendum, as the primary mechanism for this transfer, with the 2023 EU-US Data Privacy Framework adequacy decision as a secondary safety net. We have performed a Transfer Impact Assessment (TIA) documenting supplementary technical measures (encryption at rest and in transit, access auditing, no public bucket access).

8. Retention

We keep personal data only for as long as necessary for the purposes described above:

technical logs: retained for a limited period for security/troubleshooting
account data: kept while your account is active; deleted or anonymised where appropriate after closure
accounting/billing: retained for the period required by Dutch law (generally 7 years), etc.
Usage analytics logs (Section 3.3): deleted within 30 days as a rule.
Daily aggregate usage summaries (Section 3.3): retained up to 90 days, used for internal trend analysis.
Audit logs (records of deletion requests and access auditing; user identifiers stored as HMAC pseudonyms — pseudonymous personal data, not anonymous): retained up to 12 months (legitimate interest under GDPR Article 6(1)(f)).
Dead-letter queue inspection bucket (Section 3.3): retained up to 7 days, access restricted to designated administrators.

9. Your rights

Depending on your location and applicable law (including GDPR), you may have the right to request:

access, rectification, erasure
restriction of processing, objection
data portability
withdrawal of consent (where processing is based on consent)

To exercise your rights, contact us at [email protected]. You also have the right to lodge a complaint with the Dutch supervisory authority (Autoriteit Persoonsgegevens) or your local authority.

We do not conduct automated decision-making or profiling that produces legal or similarly significant effects on you.

10. Changes

We may update this policy from time to time by publishing a new version on this page.

Last updated: 2026-05-10